Enterprise‑grade security for your operations

We don’t currently hold formal security certifications or third‑party attestations. Even so, we build for security by default: encrypted transport and storage, strict access control, environment separation, backups, and change management with peer review. Here’s how that translates into practice.

Core safeguards

Procedures & controls

Policies and documentation

We maintain written information security policies and operational runbooks. These documents help ensure consistent control implementation, security reviews, and clear incident response steps.

Secure development lifecycle

Our SDLC includes code reviews, automated testing, and dependency monitoring. We aim to catch issues early through static checks, linting, and security scanning in CI where applicable.

Monitoring and logging

We monitor application health and access logs to detect anomalies and investigate suspicious activity. Access to logs and operational tooling is restricted and audited where supported by the platform.

Employee training & access

Team members receive onboarding guidance and periodic refreshers on secure handling of data. Access is provisioned based on role and reviewed regularly.

Data protection

• Encryption. TLS for data in transit; encryption at rest for databases, backups, and storage where supported by the underlying provider.
• Authentication. Strong password requirements and session management. Multi‑factor authentication is enforced for internal administrative accounts and recommended for any integrated identity provider.
• Data minimization. We only collect information necessary to deliver the product, and we retain it for as long as needed for our services or as required by law. See our Privacy Policy for details.

Penetration testing and assessments

We do not currently publish third‑party certifications or independent assessment reports. As we grow, we plan to introduce recurring third‑party testing and will update this page with outcomes and scope summaries.

Vulnerability disclosure

Security researchers and customers are welcome to report potential issues. We ask that you act in good faith, avoid privacy violations, service disruption, or degradation, and give us reasonable time to triage and remediate.

Please do

• Provide a clear description with step‑by‑step reproduction details and impacted URLs.
• Limit testing to your own accounts and data.
• Comply with applicable laws and avoid accessing data that isn’t yours.

Please avoid

• Running automated scanners or load testing against production without prior written approval.
• Denial‑of‑service attacks, spam, social engineering, or physical security testing.
• Exfiltrating data beyond what’s necessary to demonstrate impact.

Out‑of‑scope examples

• Clickjacking on pages without a sensitive state‑changing action.
• Missing security headers that do not lead to a demonstrable exploit (e.g., DNSSEC, CAA, CSP variations).
• Use of weak TLS ciphers not actually negotiated by clients, or report‑only configurations.
• Rate limiting bypasses without user impact or abuse scenario.
• Issues requiring MITM, physical access, or rooted/jailbroken devices.

How to report

Please contact us via the Contact page and include “Security Report” in your message subject. If possible, share proofs of concept, logs, and screenshots. We’ll acknowledge receipt, keep you updated during triage, and let you know when a fix is deployed.

Legal safe harbor: If you follow these guidelines and act in good faith, we will not pursue legal action related to your report.

FAQ

Roadmap

We plan to expand our security program with deeper third‑party testing, enhanced audit logging, finer‑grained permissions, and optional enterprise SSO integrations. As these become available, we will update this page.